CVE-2026-52719
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk22th percentile - higher than 22% of all known CVEs
Summary
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data.
Risk Assessment
A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.
Recommendation
Immediately update the gst-plugins-bad package to a version containing the fix for CVE-2026-52719. Until updated, avoid opening untrusted JPEG files in applications using GStreamer.
Original NVD description (English source)
An out-of-bounds read vulnerability was found in the VA JPEG decoder in GStreamer's gst-plugins-bad. The JPEG parser reads a segment length value from the bitstream without validating it against available data. A remote attacker could trick a user into opening a specially crafted JPEG file, causing downstream parsing to read beyond the provided input buffer, leading to a crash or potential information disclosure.

